Huawei concerns not about China, says UK security chief

The head of the UK’s National Cyber Security Centre (NCSC) has said the current issues the organisation has with Huawei are about ensuring security standards and not the firm’s links to China.

Ciaran Martin said the NCSC had a “wealth of understanding” of the Chinese tech giant and would not compromise on security improvements it needed to see from the company.

Huawei is the subject of ongoing scrutiny from governments around the world because of security concerns over alleged links between the firm and the Chinese state – something Huawei has always denied – amid suggestions its position at the heart of telecoms networks could be exploited for Chinese intelligence purposes.

In the UK, Huawei is monitored by the Huawei Cyber Security Evaluation Centre (HCSEC), a body that contains Huawei officials, UK Government representatives and mobile operators.

Speaking at the Cybersec conference in Brussels, Mr Martin said: “Huawei’s presence is subject to detailed, formal oversight, led by the NCSC. Because of our 15 years of dealings with the company and 10 years of a formally agreed mitigation strategy which involves detailed provision of information, we have a wealth of understanding of the company.

“We also have strict controls for how Huawei is deployed. It is not in any sensitive networks – including those of the Government. Its kit is part of a balanced supply chain with other suppliers.

“Our regime is arguably the toughest and most rigorous oversight regime in the world for Huawei.”

The NCSC chief executive highlighted a report last year which gave only limited assurances Huawei could be securely used by the UK Government.

“As we said then, and repeat today, these problems are about standard of cyber security; they are not indicators of hostile activity by China,” he said.

“The company have accepted these findings and have pledged to address them, acknowledging that this will be a process of some years.

“We will monitor and report on progress and we will not declare the problems are on the path to being solved unless and until there is clear evidence that this is the case.

“We will not compromise on the improvements we need to see from Huawei.”

But he added the NCSC had seen little previous evidence in cyber attacks that the nationality of those supplying infrastructure equipment was linked to that of the attackers.

“In the 1,200 or so significant cybersecurity incidents the NCSC has managed since we were set up, the country of origin of suppliers has not featured among the main causes for concern in how these attacks are carried out,” he said.

Mr Martin described the current landscape for managing risks around cybersecurity as “complicated”, but did lay out three rules for ensuring the security of 5G networks, the next generation mobile communications networks expected to begin rolling out later this year.

“First, we must have higher standards of cybersecurity across the entire telecommunications sector,” he said.

“Second, telecoms networks must be more resilient. We must assume that a global supply chain will have multiple vulnerabilities, whether intentional or, more likely, unintentional.

“But the networks can and should be designed in a way that will cauterise the damage. Resilience is key.

“The third pre-condition flows from that. There must be sustainable diversity in the supplier market.”

He confirmed the Government would conclude its own analysis on 5G security policy in the spring, adding that no decisions on policy – including Huawei’s presence in 5G networks – have yet been taken.